Cloud Providers Serving Government Must Store Data in India

To help ensure that data is properly protected, the Ministry of Electronics and Information Technology has mandated that all cloud service providers that handle government data store it on servers in India and not in other countries.

The guidelines require that cloud service providers' contracts with the government must clearly state that all services and data will be guaranteed to reside in India. MeitY says cloud vendors must include in the contract the details on the location of the data that they are processing, storing or hosting for the government.

Although most cloud service providers have hosted websites and servers outside India due to perceived cost advantages as well as business continuity and legal concerns, it's now critical to locate the data within India to take appropriate security and legal measures in case of cyberattacks, some cybersecurity experts say (see: Parliament: Store Critical Data in India).

"The new guidelines will have a positive impact on the cloud service providers who can now take advantage of data localization and seek the government's support on any legal implications it might face," says Prashant Mali, a Mumbai-based attorney who's an international cybersecurity expert.

But Ritesh Bhatia, founder director at V4WEB, a company that specializes in creating secured websites and cybercrime investigations, contends the government has taken a lackadaisical approach towards ensuring that its cloud partners establish adequate security for storing critical data in India. He claims the government's data privacy and regulatory policy is too weak.

The new mandate means that cloud service providers will need to invest in new infrastructure to store critical data and secure legacy applications, some security practitioners point out (see: Insurers Face New Security Mandates).

Control Over Data

Puneet Bhasin, cyber law expert at Cyberjure Legal Consulting in Mumbai, contends the mandate is a good move because it will help cloud service providers to improve control over data and take the right security steps.

But in addition to creating an indigenous infrastructure, it's critical that the government collaborate with cloud service providers and create a strong threat information sharing platform, says S. Sriram, co-founder at iValue Solutions, a managed service provider.

And Mali points out that a key challenge in shifting to domestic data storage will be handling the migration without data loss.

Focusing on More Than Cost

In taking steps to ensure data security, the government must look beyond entering contracts with the lowest-cost cloud services provider, experts say.

"More often than not, lowest price is the criteria for purchase, impacting the quality of design, solution and services - which is not good for critical initiatives involving sensitive data of crores of people," Sriram says.

Bikash Barai, co-founder at FireCompass, an AI-based assistant for IT security decision makers, adds: "What could help is when it comes to a situation where you don't want to compromise on your security, the mindset to go for cheap things needs to change. While government has issued security guidelines for cloud service partners, it has to do away with the concept of L1 bidding, which may not deter corruption, but it definitely jeopardises the quality of implementation and security of data."

L1 refers to the lowest bidder who generally wins government contracts.

Barai contends the government needs a stronger risk management program. "Apart from preventing threats, the government needs strong investments in incident response and recovery," he says. "Additionally, one should develop predictive capability, like threat intelligence, to identify possible threats before they become real."

The government departments also should take into account its legal obligations to disclose its outsourcing arrangements and the circumstances under which data may be disclosed to cloud partners, MeitY says. And in the event of termination of the outsourcing agreement, the government must ensure that all customer data is completely retrieved from the service provider, the guideline says.

About the Author

Suparna Goswami is principal correspondent at ISMG Asia and has more than 10 years of experience in the field of journalism. She has covered a variety of beats ranging from global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine, and leading Indian newspapers like DNA and Times of India.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.